Inside Mega: The Second Coming Of Kim Dotcom

The FBI executed his last business. But his new startup--with three million users in three months--won't be so easy to kill. (Photo: Brendon O'Hagan for FORBES)

Kim Dotcom, a.k.a. Kim Tim Jim Vestor, a.k.a. Kim Schmitz, doesn't act much like a man with a net worth in the negative.

At 11 a.m. on a Tuesday he's driving me around on a golf cart "safari" of his 60-acre estate outside of Auckland, New Zealand. He weaves among a grove of olive trees with alarming speed--he's removed the speed regulator in his fleet of electric buggies, and they can clock up to 19 miles per hour. We swing past his 2,000-bottle-a-year vineyard and barrel down a hill toward his $30 million mansion, complete with a hedge maze, a five-flatscreen Xbox room and a 75-foot cascading water display.

Given that he owes millions of dollars to defense lawyers and now has to raise his five children on a $20,000-a-month government allowance meted out from his frozen bank accounts, wouldn't it be wise to live a slightly simpler life?

"No way," he says, leaning his massive 6-foot-7, 300-plus-pound body onto the cart's steering wheel. "That would be allowing them to get away with this stunt. I won't accept that. By staying here I'm saying, 'Eff you! You can't defeat me!'"

The "stunt" Dotcom refers to is the police helicopter raid on his compound that made global headlines 15 months ago, timed to coincide with the U.S. indictment that shut down his ultrapopular constellation of Mega-branded websites under charges of hosting half a billion dollars' worth of pirated movies and music. Overnight Dotcom went from an underground entrepreneur to one of the most public and controversial figures on the Internet. His site domains, including the flagship Megaupload.com, are now the property of the U.S. government. His servers have been ripped out of data centers around the world and sit in evidence warehouses. He's had to let go of 44 of his 52 house staff as well as Megaupload's hundreds of employees. All but 2 of his 18 cars have been seized or sold.

But today Kim Dotcom is putting all of that in his souped-up golf cart's rearview mirror. His new storage startup, called simply Mega, launched Jan. 20, defiantly a year to the day after the sudden destruction of Megaupload. It's already exploded to exceed 3 million registered users. His engineers tell me it's moving 52 gigabits of data per second--that's nearly half the entire bandwidth of New Zealand--and growing at 30% a week. The traffic has been driven in part by Dotcom's own larger-than-life persona: an Internet mogul who doubles as either an intellectual-property-stealing supervillain or an oppressed freedom fighter, depending on whom you ask.

Either way, Dotcom has learned from his legal misadventures and promises that the copyright cabal will find this company much harder to snuff. Mega is "the Privacy Company." Unlike Megaupload, everything sent to Mega is encrypted. No one can decrypt those scrambled files except the user--not the FBI, not the Motion Picture Association of America, not even Kim Dotcom. Mega claims to keep the eyes of both authorities and snoops off its users' files, a libertarian ideal that fits neatly into Dotcom's personal narrative as a victim of the U.S. government's overreach into the digital world. "Mega is not just a company," he says. "It's a mission to encrypt the Internet. We want to give the power back to the user."

The revenge Dotcom is planning, he says, will be twofold: Not only will his new, better company be immune from his enemies, but he has also hired a team of 28 global lawyers who he believes will make the U.S. government pay for treating the Internet as a subjugated colony.

He powers his golf cart up a steep hill to a peak overlooking his estate, with life-size giraffe sculptures in the distance and MEGA spelled out in 15-foot-tall white letters laid out next to his winding driveway.

"This is a low point," Dotcom says quietly. But his sulking doesn't last long. "I'm going to be bigger than ever."

***

IN 2009 A STUDY by traffic-research firm Arbor Networks and the University of Michigan found that a little-known collection of sites was responsible for a gargantuan amount of the Internet's data--their hosting firm was using twice as much bandwidth as Facebook. The sites, including Megaupload and Megavideo, seemed to have been registered in 2005 to one Kim Schmitz, a German ex-hacker and ex-con. But a spokesperson at Megavideo told FORBES at the time that no person by that name was associated with the company.

"Technically that was correct," says Megaupload's 39-year-old founder years later. In 2005 Kim Schmitz had legally changed his name to Kim Dotcom, and he saw no need to reveal his new identity to a nosy reporter. "Back then I kept a low profile."

Kim Dotcom may have been publicity shy, but Kim Schmitz had already been in plenty of headlines. Growing up in the northern German city of Kiel, the teenage Schmitz had been a notorious figure on the early Internet underground. Before the advent of the Web, Schmitz ran a bulletin board service called "House of Coolness" that users remember as a hub for trading videogames with cracked copy protections and stolen calling cards. (Today Dotcom so vehemently denies that the service hosted substantial copyright-infringing material that he threatened legal action to prevent us from publishing this story.)

Learning from the hackers who inhabited his forum, Schmitz developed a knack for breaking into corporate telephone switches known as PBXs to hijack modems that could be used for free Internet connections. Using the nom de guerre Kimble, he bragged to FORBES in 1992 that he had compromised more than 500 of the systems. Schmitz was soon busted by German police for a scheme that earned him $50,000 by funneling hacked PBX traffic to a paid bulletin board service he'd set up in Hong Kong.

After two years of probation Schmitz leveraged his hacker reputation into a security business that he later sold to the German technical conglomerate TUV Rheinland. He rose to prominence as a flashy dotcom investor, throwing lavish parties, renting yachts and winning a round-trip cross-continent road rally from London to St. Petersburg in his custom Mercedes Brabus. But in 2002 Dotcom was hit with insider trading charges over his role in a Groupon-like company called Letsbuyit and pled guilty. With his reputation tattered in Germany, he fled to Hong Kong and changed his name to Kim Tim Jim Vestor, swapping first names on a whim.

Kim's new scheme, and the one that would become the most lucrative of his career, arose from a simple problem on the pre-YouTube Internet. There was no easy way to attach video files to e-mail, such as clips of his road rallies. So he, his old hacker friend Matthias Ortmann and Bram Van Der Kolk, a fan from his racing days, created Megaupload as a no-frills data storage and video service. The Hong Kong-based company started popping up on racing forums and soon was doubling in user adoption on a yearly basis. The 34-year-old hacker from Kiel changed his name a final time to reflect his new digital ambitions: Kim Dotcom.

Dotcom describes those Hong Kong years as "the best time of my life." He began renting the top floor of the Hong Kong Grand Hyatt and made frequent trips to the Philippines, where he recruited offshore staff and met his wife, ex-model Mona Verga. Soon, he says, he employed 12 people in Hong Kong, 90 in the Philippines and dozens more in Germany, Mexico, Brazil, Britain and Portugal.

As Megaupload grew, an ecosystem of illegal services began to form around it like remoras around a whale. Sites like Surfthechannel, Quicksilverscreen and FilesTube began to catalog entire seasons of copyrighted TV shows, pirated music and movies on Megaupload. Dotcom says he was careful to abide by the U.S.' digital copyright act (called the DMCA), which required that his sites take down infringing content after it's pointed out by the content's owner. But the files often reappeared within days--in 2009 FORBES tracked one film, District 9, that was uploaded to Megavideo more than 127 times and removed 89 times.

Still, Dotcom's sites were used for legal file storage and sharing, too. Users included employees from 70 of the world's 100 biggest companies, by Dotcom's reckoning, and he was confident that his business was sheltered within the DMCA's safe harbor, which puts the onus on the copyright holder, not services like Megaupload. At worst he expected a copyright lawsuit like the one Viacom launched against Google over YouTube, which Google won in 2010. (Viacom won an appeal and the case is now back in litigation.)

By 2011 Megaupload had become an Internet behemoth, pushing 1.5 terabits per second of bandwidth at peak times. According to the Department of Justice, the company generated $175 million in sales over its lifetime, mostly from premium accounts (the feds say Dotcom personally pocketed $42 million in 2010). The site had 150 million registered users, and Dotcom planned a public offering he expected to give it a valuation of more than $2 billion. With his 65% stake in the company he would be a billionaire.

Then, a day before his 38th birthday, the U.S. government took it all away.

***

THE 72-PAGE federal indictment unsealed in January 2012 alleged that Dotcom, Ortmann, Van Der Kolk and four others had taken part in what it dubbed the Mega Conspiracy. It set off a firestorm.

Just days before the helicopter raid on Dotcom's mansion, a wave of Web protests had persuaded the U.S. Congress to kill the Stop Online Piracy Act (SOPA), a bill that would have censored so-called "rogue foreign websites" accused of copyright infringement. When Megaupload was suddenly torn offline, "it was a death sentence without a verdict," says Julian Sanchez, an Internet policy research fellow for the Cato Institute. "You have to wonder if it was timed to send a message to sites around the world: Don't think you're safe just because SOPA was defeated."

The hacker group Anonymous went on a revenge rampage, launching cyberattacks against the Justice Department, FBI, MPAA and Universal Music websites. One blogger compared Megaupload's takedown with the burning of the Library of Alexandria. The digital rights group Electronic Frontier Foundation launched MegaRetrieval, aimed at getting legitimate users of the site their data back from the U.S. government.

Over the next months the prosecution would make serious missteps: A New Zealand court found that evidence in the case had been illegally transferred from Auckland to the U.S. And it soon became clear that New Zealand's extradition treaty didn't cover copyright infringement; the U.S. would have to prove in a Kiwi court that Megaupload staff had engaged in a mafia-style criminal conspiracy that violated RICO law. Finally, New Zealand's spy agency admitted it had illegally surveilled Dotcom's home, forcing the prime minister to issue a public apology.

Meanwhile, Kim Dotcom was going on the offensive. While briefly in a New Zealand jail, Dotcom and Ortmann began brainstorming a plan for a new company. Its secret weapon: ubiquitous encryption.

Ortmann, who had been visiting Dotcom for his birthday when the raid occurred, was now legally trapped in New Zealand. So he moved in with Van Der Kolk, and in September 2012 they began to code the new site. "The prosecution's biggest mistake was bailing me to the same address as Bram," says Ortmann when we meet in his and Van Der Kolk's living room overlooking Auckland's Orakei Basin. He gestures toward their shared office. "This is where the new Mega was born."

The site was launched in a bombastic event at the Dotcom Mansion, complete with Maori performers and a parody of the police raid that included a fake SWAT team rappelling off his roof and a real helicopter. Mega offered users 50 gigabytes of storage for free, compared with 2 gigabytes from Dropbox, 5 from Google or Apple, and 7 from Microsoft. Within 24 hours the site claimed a million users and is on track to bank millions from premium accounts in its first year.

The service that Ortmann and Van Der Kolk assembled offers privacy features few have dared to try. When a user signs up, a pair of cryptographic keys are generated in the browser that effortlessly encrypt and decrypt files--no downloads required.

Whether that browser-based encryption can stand up to sophisticated crackers--much less the NSA--has long been a subject of controversy in the cryptography community. But arguing the details of Mega's security may miss the point. The company's main concern may not be protecting data from spies, so much as from itself. Its encryption setup means it can't be held responsible for filtering copyrighted content, skirting the DMCA's legal ambiguity. "All that matters is Mega's ability to plausibly claim they don't have any way to identify copyrighted material on their servers," says cryptographer Moxie Marlinspike, a former director of product security at Twitter.

Ortmann denies that Mega is engaging in "willful blindness" and says that it's doing everything in its power to offer real privacy to users. But Dotcom himself contends that a true privacy service means that no one, not even the service itself, knows what it's hosting. If required, Mega will work with law enforcement to hand over noncontent data like IP addresses. But it won't expose--technically can't expose--users' data. "If you build a highway, you don't know what's in the trucks on it," says Dotcom. "Why should we? It's your data, it's your business."

Browser-based storage is only the beginning for Mega. Mobile applications for Android and iOS are coming soon. By the end of this year Dotcom says he'll offer encrypted e-mail and text messaging and, later, encrypted voice calls to compete with Google and Skype. And he's also incubating plans for a Spotify competitor called Megabox, a service for original music that lets the artist keep 90% of the revenue. He claims he's planning a Mega IPO on the New Zealand stock exchange next year.

"By the time this is all over," Dotcom says, "I'll have already built the next online empire."

***

Doubling down: Facing decades in prison if extradited, Dotcom vows he “will not spend a day in a U.S. jail." (Photo: Brendon O'Hagan for FORBES)

AS WE SIT ON HIS mansion's patio beside the pool, Dotcom considers his future, and his mood darkens. "We'll sue the U.S. government...We'll destroy the studios that triggered all of this with misinformation and corruption," he says. "Someone will pay. I won't settle for a handshake and an apology. And I will not spend a day in a U.S. jail."

He follows with one of his many racing tales: In the 500-meter final stretch of the 2004 road race that began in Morocco and ended in Cannes, Dotcom and his copilot Ortmann hit a traffic jam on Cannes' main drag, the Boulevard de la Croisette.

Dotcom didn't hesitate: He drove his Mercedes over the curb, between the palm trees and over a hedge onto the crowded sidewalk. As stunned tourists scattered, he cruised down the walkway past his trapped competitors and pulled into the Carlton Cannes hotel to win the race. "It seemed like we had lost and there was no way. But we found a lane," Dotcom muses. "This is my gift. I will always find a lane."

And God help anyone who's in his way.

__

Correction: An earlier version of this story noted that Viacom "is appealing" the 2010 result of its lawsuit against Google. In fact, Viacom won that appeal and the case is now back in litigation in a District Court. Apologies for the error.